GitHub blogged they are creating SBOMs in SPDX format
Looks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX!
See this blog from them.
Best Regards,
Jack Manbeck
Outreach Chair
Hi,
I did some quick tests.
I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
Sent: Wednesday, March 29, 2023 10:01 PM
To: SPDX-general <spdx@...>
Subject: [spdx] GitHub blogged they are creating SBOMs in SPDX format
Looks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX!
Sent: Thursday, March 30, 2023 9:32:24 AM
To: spdx@... <spdx@...>
Cc: Marc-Etienne Vargenau (Nokia) <marc-etienne.vargenau@...>
Subject: [EXTERNAL] Re: [spdx] GitHub blogged they are creating SBOMs in SPDX format
|
You don't often get email from marc-etienne.vargenau=nokia.com@....
Learn why this is important
|
Hi,
I did some quick tests.
I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
From: spdx@... <spdx@...>
On Behalf Of Manbeck, Jack via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:01 PM
To: SPDX-general <spdx@...>
Subject: [spdx] GitHub blogged they are creating SBOMs in SPDX format
Looks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX!
Hi,
Try Export SBOM at:
https://github.com/nexB/license-expression/network/dependencies
Best regards,
Marc-Etienne
Sent: Thursday, March 30, 2023 6:52 PM
To: spdx@...
Cc: Marc-Etienne Vargenau (Nokia) <marc-etienne.vargenau@...>
Subject: Re: GitHub blogged they are creating SBOMs in SPDX format
We raised the first issue with them yesterday and they are working on it. Do you have more detail on the second?
Get Outlook for iOS
From:
spdx@... <spdx@...> on behalf of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org <marc-etienne.vargenau=nokia.com@...>
Sent: Thursday, March 30, 2023 9:32:24 AM
To: spdx@... <spdx@...>
Cc: Marc-Etienne Vargenau (Nokia) <marc-etienne.vargenau@...>
Subject: [EXTERNAL] Re: [spdx] GitHub blogged they are creating SBOMs in SPDX format
Hi,
I did some quick tests.
I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
Looks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX!
Yesterday I got in contact with GitHub security and I got the name of the person to talk to suggest improvements. I wrote to them and offered to help improve it myself if it has an open source backend or at least create some issues to suggest those improvements.
Hi,
I did some quick tests.
I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
From: spdx@... <spdx@...> On Behalf Of Manbeck, Jack via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:01 PM
To: SPDX-general <spdx@...>
Subject: [spdx] GitHub blogged they are creating SBOMs in SPDX formatLooks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX!
We raised the first issue with them yesterday and they are working on it. Do you have more detail on the second?Get Outlook for iOS
From: spdx@... <spdx@...> on behalf of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org <marc-etienne.vargenau=nokia.com@...>
Sent: Thursday, March 30, 2023 9:32:24 AM
To: spdx@... <spdx@...>
Cc: Marc-Etienne Vargenau (Nokia) <marc-etienne.vargenau@...>
Subject: [EXTERNAL] Re: [spdx] GitHub blogged they are creating SBOMs in SPDX format
Hi,
I did some quick tests.
I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
From: spdx@... <spdx@...> On Behalf Of Manbeck, Jack via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:01 PM
To: SPDX-general <spdx@...>
Subject: [spdx] GitHub blogged they are creating SBOMs in SPDX formatLooks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX!
I have experimented with it and have the following observations:1. All license information is marked as NOASSERTION (all files in the Git Repo have SPDX license ids in the files)2. There are no relationships defined3.1. It is not NTIA compliantOn Thu, 30 Mar 2023 at 17:51, William Bartholomew (CELA) via lists.spdx.org <willbar=microsoft.com@...> wrote:We raised the first issue with them yesterday and they are working on it. Do you have more detail on the second?Get Outlook for iOS
From: spdx@... <spdx@...> on behalf of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org <marc-etienne.vargenau=nokia.com@...>
Sent: Thursday, March 30, 2023 9:32:24 AM
To: spdx@... <spdx@...>
Cc: Marc-Etienne Vargenau (Nokia) <marc-etienne.vargenau@...>
Subject: [EXTERNAL] Re: [spdx] GitHub blogged they are creating SBOMs in SPDX format
Hi,
I did some quick tests.
I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
From: spdx@... <spdx@...> On Behalf Of Manbeck, Jack via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:01 PM
To: SPDX-general <spdx@...>
Subject: [spdx] GitHub blogged they are creating SBOMs in SPDX formatLooks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX!